Recently I spoke at the BIL conference in Long Beach, Calif. One of the other presenters was Brad Templeton, chairman of the Electronic Frontier Foundation. Brad is widely known on the Internet (and in the legal community) for writing about political and social issues related to network computing. He's also the author of "10 Big Myths about Copyright Explained," and he coined the term "spamigation" in response to the massive lawsuits undertaken solely for the purpose of harassing and intimidating defendants.

At BIL '09, Brad gave a presentation entitled "The Evils of Cloud Computing: Data Portability and Single Sign On." I wanted to give Brad the opportunity to discuss the problems he sees and propose solutions to the cloud computing community, so I asked him a few questions. This way we won't speculate or judge what Brad means when he calls cloud computing "evil."

Do you think cloud computing is inherently evil or just inherently dangerous?

I use the word "evil" as hyperbole. [Cloud computing] has many positive attributes, but right now, people are taking it as entirely positive. It is the hot thing, the "obvious" way to design new applications. What is important is that people understand some of the dangers, see if they are worth it, and see if they can avoid them.

You wrote, "Cloud computing is time-sharing -- we run our software and hold our data on remote computers and connect to them from terminals. It's a swing back from personal computing, where you had your own computer, and it erases the Fourth Amendment by putting our data in the hands of others." That sounds evil to me, but I'm not sure cloud computing is so well defined. Propose a definition that wouldn't "erase the Fourth Amendment."

The term is typically used to describe an application design where the computers doing the real work, and storing the data, are "in the cloud" (ie. remotely accessed over the internet.)

The 4th amendment protects your personal data when it's in your house, and other places where you have a "reasonable expectation of privacy" to use the legal term. Unfortunately, the courts have ruled that you put information in the hands of 3rd parties, even if only for a very specific purpose, you can lose that expectation. So the DOJ regularly acts to seize data in 3rd party hands without warrants -- for example from webmail providers -- and this will surely expand to all sorts of cloud data.

Sometimes data in the cloud is protected by statutes. E-mails and medical records have their own statutory protections, which is good, but not enough. We need a push to insure that my data (such as a spreadsheet I make in Google docs) is counted as "my papers" and fully protected by the 4th amendment even though it sits on a Google owned server. I'm not saying your cloud files are totally unprotected today, but the standard is much less than the protection given the files on your own computer -- we would like it raised.

It's also important to understand that even when they do need a warrant to get at your data, the warrant will be served on the hosting company, not you. Many hosting companies will fight for your rights, but nobody is as interested in challenging the warrant as you are. When data is outside your hands, you can lose that opportunity.

If we can't get a general expansion of the expectation of privacy,
we may be able to see if the courts will accept contractual nuances.
Perhaps we can define it so that Google is renting me, or even selling
me, a strip of disk, making it mine the way a rented appartment is mine.
But this is tough. The law has to change -- or people designing cloud
applications need to worry about this.

Strictly I am talking about applications and data hosted in a cloud. The
more basic definition of cloud computing, where one company rents computing
resources by the hour from a big hosting company, that doesn't have
quite as many negative consequences. It's more like outsourcing.

Several people have proposed a "partly cloudy" solution to cloud privacy, where user data is stored locally but processing occurs in a cloud. What's the Electronic Frontier Foundation's opinion of this approach? Is it a solution or just a Band-Aid?

This improves things, in that your data is only out there in 3rd party hands temporarily. It needs a strong warrant (a wiretap) to get at it. But your data is still out there where others can get it, without having to go through you; without giving you the right to legally oppose their seizure of it.

My personal view is we might want to go a step further. Do your storage locally and your processing locally, but take in the software code and other needed data from the cloud. I call this approach "data hosting." If you owned the server on which it took place, that would give you Fourth Amendment protection. If you just bought services on that machine, it might not, but it seems like that's an easier fight to win, where rental facilities count as yours. (After all, a rented home is your home as far as the Fourth Amendment is concerned.)

There is another advantage to data hosting, as it turns out: Any new application can scale without effort if the users are providing the CPU and bandwidth resources for it, one by one. And in addition, a user who wants better performance can pay for it. The hard part is security.

The EFF spends a good deal of time advocating for Internet users' privacy rights and educating people about modern threats to their privacy. Do you see consumer behavior changing as cloud computing becomes more popular, or do you only see a larger threat to individual privacy?

Unfortunately, consumers tend to only care about privacy issues after they have their privacy violated. When it happens distantly to somebody else, people don't put a lot of energy into it. Education helps, but only so much. I believe that people architecting systems must realize that they are writing policy when they do this, and they should think if they are creating the policies and practices they really want. Both for themselves and for people who will use the code and its successors in other countries like China or Saudi Arabia.

Many startups are using cloud computing resources as a way to bootstrap their business. In your opinion, what effect does it have on consumers' right to privacy if the company they're doing business with may not have any real control or influence over what happens to their data? Does cloud computing become uber-evil if I start my business in the cloud, sign you up as a customer, and never consider my legal obligations regarding a third-party that has access to your data?

This is a big risk. It's happened many times that companies have gotten lots of your data and then sold to another company with different motives. Or just gotten poor and ready to throw principles out the window to stay afloat.

Companies have always collected data about us, of course, and it has been subject to this risk. Cloud computing, however, starts moving all of your personal data out of your house and into the hands of third parties. This shifts the balance and shifts it a lot. It's something we should realize we're doing even if we decide in the end we like the advantages so much (roaming, scaling) that we are going to do it. Let's not do it blind.

That sounds more like just renting computing by the hour. The only big issue with that is this: If you are holding data for other people (such as your users), now this data is out somewhere else, under not just your control, but this other hosting company's control. Your ex-husband's divorce lawyer now has three places to try to get it, not just two or, more ideally, just one -- you.

Where do you see yourself in the dark future when computing resources are consolidated under the iron fist of a small evil cartel? (Just kidding.) If cloud computing explodes, and succeeds where similar attempts have failed, what would your perfect balance between consolidated computing resources and individual privacy protection look like? What's your best vision of cloud computing in the future?

I would like to see both a change in the law so that the Fourth Amendment covers your data on other people's disks and more physical security as well. For example, if your data is not needed when you are not logged on with a session, your data should be encrypted on the other party's disk. When you are logged on, the data would be decrypted on the fly, the keys erased when you log off. This is harder to do, but it's not impossible, and it provides good strong protection -- even the hosting company's corrupt employee can't read your data if you don't log on.

I would also like to see the final step -- let me host my data and processing where I can so it is fully under my legal and technical control.

Are there any articles on protecting privacy in the cloud that you would recommend?